The vulnerability exists within a function responsible for sending an ASP (AppleTalk Session Protocol) message on an AppleTalk socket. When allocating a buffer, the kernel uses a user provided integer to perform an arithmetic operation that calculates the number of bytes to allocate. This calculation can overflow, leading to the allocation of a buffer of insufficient size. This results in an exploitable heap based buffer overflow within the kernel.

Analysis:
Successful exploitation of this vulnerability will result in the execution of arbitrary code in kernel context. Exploitation has proven to be non-trivial.

In order to reach the vulnerable code, a system would have to have AppleTalk turned on. It would likely be used on a network consisting of older Mac hosts since previous versions of Mac relied on it to implement Apple File Sharing.

Workaround:
Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled.

The vulnerability exists within the function responsible for adding an AppleTalk zone to an interface's routing table. A zone can be thought of as something similar to a Windows Domain.

When copying the user provided zone information into a fixed size stack buffer, the kernel uses a user provided length as the number of bytes to copy into the destination buffer. This results in an exploitable stack buffer overflow in the kernel.

Analysis:
Successful exploitation of this vulnerability will result in the execution of arbitrary code in kernel context. Unsuccessful attempts will likely crash the system.

In order to exploit this vulnerability, the system needs to have AppleTalk configured in routing mode. This is not enabled by default. It would likely be enabled on a Mac system running on a network with legacy Mac hosts.

Workaround:
Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled.

The vulnerability exists within a function responsible for allocating an mbuf. mbufs are a BSD concept, long used by BSD kernels to allocate buffers for storing network related data.

When allocating an mbuf buffer, the kernel performs a comparison using two signed integers, one of which is controlled by the user, to determine how many bytes to allocate. If a user passes a negative value, a minimally sized buffer will be allocated due to the signed comparison. The calling function will usually interpret the user controlled value as an unsigned value, and this results in the allocated buffer being overflowed.

Analysis:
Successful exploitation of this vulnerability will result in the execution of arbitrary code in kernel context. Unsuccessful attempts will likely crash the system. Exploitation has proven to be non-trivial.

In order to exploit this vulnerability, a system would have to have AppleTalk turned on. It would likely be used on a network consisting of older Mac hosts since previous versions of Mac relied on it to implement Apple File Sharing.

Workaround:
Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled.